Reputation: 11
I have problem with Keycloak's configuration and Single Logout from SAML Identity Provider.
Scenario:
However, if user logs out from IP first, SP session is not closed and user is still logged in:
Keycloak correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse ... samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn't be user logout from SP using SLO? Or maybe I am missing something in KC's client/realm/IP configuration? Thank you for your help/explanation
Upvotes: 0
Views: 3248
Reputation: 177
Requirements for Global Logout to work
When you logout from SP first in that case your SP is sending logout request to IdP and that's why you are being logged out from IdP as well as SP. But on the other case, I believe Logout URL is not being called (which could be due to missing configuration in the client).
Can you post a screenshot of the configuration to help you better?
Upvotes: 2